Topic on Project:Support desk/Flow

Cannot login with LDAP

12
Techietubby (talkcontribs)

I have built a Mediawiki 1.42.3 on the latest version of Rocky9 and imported my database from a previous version. Everything works except (Open)LDAP login which returns an error when I try to login. The strange thing is that the error is different if I clear my cookie cash. I know that LDAP is working because I can login at the OS level using sssd. Is there any way to debug this as the logs give me no clue?

These are my LocalSettings.php LDAP settings:

######### LDAP ########

#######################

# LDAP Extensions

######################

wfLoadExtensions( [

        'PluggableAuth',

        'Auth_remoteuser',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo'

] );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserAllowUserSwitch = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgAuthRemoteuserUserName = function() {

        $user = '';

        if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {

                $user = strtolower( $_SERVER[ 'REMOTE_USER' ] );

        }

        return $user;

};

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                'acmecorp.com' => [

                        'connection' => [

                                "server" => "auth.acmecorp.com",

                                "user": "cn=readonlyroot,dc=acme,dc=corp",

                                "pass": "PASSWD",

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1

                                ],

                                "basedn" => "dc=acme,dc=corp",

                                "groupbasedn" => "ou=group,dc=acme,dc=corp",

                                "userbasedn" => "ou=people,dc=acme,dc=corp",

                                "searchattribute" => "uid",

                                "usernameattribute" => "uid",

                                "realnameattribute" => "fullname",

                                "emailattribute" => "mail",

                                "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                        ],

                        'authorization' => [

                                'rules' => [

                                        'groups' => [

                                                'required' => [

                                                        'cn=readonlyroot,dc=acme,dc=corp'

                                                ]

                                        ]

                                ]

                        ],

                        'userinfo' => [

                                'attributes-map' => [

                                        'email' => 'mail',

                                        'realname' => 'fullname'

                                ]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

# In any case we need to specify LDAP domain configs

$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";

# Local login is enabled

$wgPluggableAuth_EnableLocalLogin = true;

$LDAPAuthentication2AllowLocalLogin = true;

$wgPluggableAuth_Class = "MediaWiki\\Extension\\LDAPAuthentication2\\PluggableAuth";

$wgPluggableAuth_ButtonLabel = "Log In (PluggableAuth)";

$wgPluggableAuth_Config['Log In (auth1.acmecorp.com)'] = [

    'plugin' => 'LDAPAuthentication2',

    'data' => [

        'domain' => 'acmecorp.com'

    ]

];

# LDAP

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false; #if true, disables the logout option

$wgPluggableAuth_EnableLocalLogin = true;

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "$IP/ldapprovider.json";

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2AllowLocalLogin = true;

### EDIT EDIT ENABLE DEBUG LOGS

/**

* The debug log file must never be publicly accessible because it

* contains private data. But ensure that the directory is writeable by the

* PHP script running within your Web server.

* The filename is with the database name of the wiki.

*/

$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";

### ALSO turn on LDAP debug

$wgLDAPDebug = 99;

$wgDebugLogGroups['ldap'] = '/var/log/mediawiki/debug-ldap.log';

$wgShowExceptionDetails = true;

#$wgRevokePermissions['user']['createaccount'] = true;

# Prevent new user registrations except by sysops

$wgGroupPermissions['*']['createaccount'] = false;

## Forces user to login to view Wiki

## # The following permissions were set based on your choice in the installer

## $wgGroupPermissions['*']['createaccount'] = false;

## $wgGroupPermissions['*']['edit'] = false;

## $wgGroupPermissions['*']['read'] = false;

Techietubby (talkcontribs)

I have also tried using ldapprovider.json and that doesn't help either?

{

  "LDAP": {

    "connection": {

      "server": "auth.acme.com",

      "user": "cn=readonlyroot,dc=acme,dc=corp",

      "pass": "PASSWD",

      "port": 636,

      "enctype": "tls",

      "options": {

        "LDAP_OPT_DEREF": 1

      },

      "basedn": "dc=acme,dc=corp",

      "userbasedn": "ou=people,dc=acme,dc=corp",

      "groupbasedn": "ou=group,dc=acme,dc=corp",

      "searchattribute": "uid",

      "searchstring": "uid=USER-NAME,ou=people,dc=acme,dc=corp",

      "usernameattribute": "uid",

                        "realnameattribute": "cn",

                        "emailattribute": "mail"

    },

    "userinfo": {

      "attributes-map": {

        "email": "mail",

        "realname": "cn",

        "nickname": "uid"

      }

    }

  }

}

Osnard (talkcontribs)

[...] The strange thing is that the error is different if I clear my cookie cash. [...]

What exactly is the error?

Please, enable debug logging and share the (redacted) results.

Techietubby (talkcontribs)

MediaWiki internal error.

Original exception: [Zxt-iIUMHHwirGji-KznVQAAAMA] /wiki/index.php?title=Special:UserLogin&returnto=Development+Info+Wiki TypeError: Cannot assign null to property MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider::$remoteToken of type string

Backtrace:

from /var/www/html/mediawiki-1.42.3/extensions/Auth_remoteuser/src/UserNameSessionProvider.php(793)

#0 /var/www/html/mediawiki-1.42.3/includes/session/SessionBackend.php(756): MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider->persistSession()

#1 /var/www/html/mediawiki-1.42.3/includes/session/SessionBackend.php(670): MediaWiki\Session\SessionBackend->save()

#2 /var/www/html/mediawiki-1.42.3/includes/session/SessionBackend.php(346): MediaWiki\Session\SessionBackend->autosave()

#3 /var/www/html/mediawiki-1.42.3/includes/session/Session.php(133): MediaWiki\Session\SessionBackend->persist()

#4 /var/www/html/mediawiki-1.42.3/includes/specialpage/LoginSignupSpecialPage.php(249): MediaWiki\Session\Session->persist()

#5 /var/www/html/mediawiki-1.42.3/includes/specialpage/SpecialPage.php(719): MediaWiki\SpecialPage\LoginSignupSpecialPage->execute()

#6 /var/www/html/mediawiki-1.42.3/includes/specialpage/SpecialPageFactory.php(1669): MediaWiki\SpecialPage\SpecialPage->run()

#7 /var/www/html/mediawiki-1.42.3/includes/actions/ActionEntryPoint.php(504): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#8 /var/www/html/mediawiki-1.42.3/includes/actions/ActionEntryPoint.php(145): MediaWiki\Actions\ActionEntryPoint->performRequest()

#9 /var/www/html/mediawiki-1.42.3/includes/MediaWikiEntryPoint.php(199): MediaWiki\Actions\ActionEntryPoint->execute()

#10 /var/www/html/mediawiki-1.42.3/index.php(58): MediaWiki\MediaWikiEntryPoint->run()

#11 {main}

Exception caught inside exception handler: [Zxt-iIUMHHwirGji-KznVQAAAMA] /wiki/index.php?title=Special:UserLogin&returnto=Development+Info+Wiki TypeError: Cannot assign null to property MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider::$remoteToken of type string

Backtrace:

from /var/www/html/mediawiki-1.42.3/extensions/Auth_remoteuser/src/UserNameSessionProvider.php(793)

#0 /var/www/html/mediawiki-1.42.3/includes/session/SessionBackend.php(756): MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider->persistSession()

#1 /var/www/html/mediawiki-1.42.3/includes/session/SessionBackend.php(659): MediaWiki\Session\SessionBackend->save()

#2 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#3 /var/www/html/mediawiki-1.42.3/vendor/wikimedia/scoped-callback/src/ScopedCallback.php(102): call_user_func_array()

#4 /var/www/html/mediawiki-1.42.3/vendor/wikimedia/scoped-callback/src/ScopedCallback.php(58): Wikimedia\ScopedCallback->__destruct()

#5 /var/www/html/mediawiki-1.42.3/includes/session/SessionManager.php(951): Wikimedia\ScopedCallback::consume()

#6 /var/www/html/mediawiki-1.42.3/includes/session/SessionManager.php(268): MediaWiki\Session\SessionManager->getSessionFromInfo()

#7 /var/www/html/mediawiki-1.42.3/includes/Request/WebRequest.php(864): MediaWiki\Session\SessionManager->getSessionById()

#8 /var/www/html/mediawiki-1.42.3/includes/skins/Skin.php(1721): MediaWiki\Request\WebRequest->getSession()

#9 /var/www/html/mediawiki-1.42.3/includes/skins/Skin.php(1730): Skin->hideNewTalkMessagesForCurrentSession()

#10 /var/www/html/mediawiki-1.42.3/includes/skins/SkinMustache.php(137): Skin->getNewtalks()

#11 /var/www/html/mediawiki-1.42.3/skins/Vector/includes/SkinVectorLegacy.php(161): SkinMustache->getTemplateData()

#12 /var/www/html/mediawiki-1.42.3/includes/skins/SkinMustache.php(92): MediaWiki\Skins\Vector\SkinVectorLegacy->getTemplateData()

#13 /var/www/html/mediawiki-1.42.3/includes/skins/SkinTemplate.php(176): SkinMustache->generateHTML()

#14 /var/www/html/mediawiki-1.42.3/includes/Output/OutputPage.php(3004): SkinTemplate->outputPage()

#15 /var/www/html/mediawiki-1.42.3/includes/exception/MWExceptionRenderer.php(189): MediaWiki\Output\OutputPage->output()

#16 /var/www/html/mediawiki-1.42.3/includes/exception/MWExceptionRenderer.php(106): MWExceptionRenderer::reportHTML()

#17 /var/www/html/mediawiki-1.42.3/includes/exception/MWExceptionHandler.php(133): MWExceptionRenderer::output()

#18 /var/www/html/mediawiki-1.42.3/includes/exception/MWExceptionHandler.php(237): MWExceptionHandler::report()

#19 /var/www/html/mediawiki-1.42.3/includes/MediaWikiEntryPoint.php(221): MWExceptionHandler::handleException()

#20 /var/www/html/mediawiki-1.42.3/includes/actions/ActionEntryPoint.php(82): MediaWiki\MediaWikiEntryPoint->handleTopLevelError()

#21 /var/www/html/mediawiki-1.42.3/includes/MediaWikiEntryPoint.php(205): MediaWiki\Actions\ActionEntryPoint->handleTopLevelError()

#22 /var/www/html/mediawiki-1.42.3/index.php(58): MediaWiki\MediaWikiEntryPoint->run()

#23 {main}

Techietubby (talkcontribs)

I enabled debugging as follows but couldn't see anything LDAP related.


$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";

### ALSO turn on LDAP debug

$wgLDAPDebug = 99;

$wgDebugLogGroups['ldap'] = '/var/log/mediawiki/debug-ldap.log';

$wgShowExceptionDetails = true;

Techietubby (talkcontribs)

Stupid question: Which directory should this be in? /var/www/html/mediawiki-1.42.3 or /var/www/html ?

$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";

Osnard (talkcontribs)

You are using Extension:Auth_remoteuser. Can you confirm you have set up the webserver in a way it provides a $_SERVER['REMOTE_USER']? Something like Kerberos authentication?

Techietubby (talkcontribs)

I have not done any browser configuration other than to create the ssl.conf and to install the SSL certs as I cannot find any instructions for this, so any advice would be gratefully received .

I built this server from scratch and imported the database from a very old server that runs Centos-7 and has never been updated. It is using the original LDAPAUTH plugin and I can only see the changes that were made to LocalSettings.php. Is there somewhere else I should look?

Both servers are authenticating to an OpenLDAP server.

Osnard (talkcontribs)

The old Extension:LDAP_Authentication supported implicit authentication via . But it did not require it. I can not tell if it was used in your old set up (maybe you can share a redacted version of your old configuration here). If not, you don't need Extension:Auth_remoteuser. If it was, you need to configure your webserver in a way it performs the Kerberos authentication and hands over the authenticated username to the wiki application (usually this is done in the [$_SERVER['REMOTE_USER']] variable). It highly depends on your webserver (Apache, Nginx, IIS) how this needs to be done.

Techietubby (talkcontribs)

Hi,

The old v1.34.2 server used:

$wgAuth = new LdapAuthenticationPlugin(); $wgAuthManagerAutoConfig['primaryauth'] += [

  LdapPrimaryAuthenticationProvider::class => [
      'class' => LdapPrimaryAuthenticationProvider::class,
      'args' => [[
             'authoritative' => true, // don't allow local non-LDAP accounts
         ]],
      'sort' => 50, // must be smaller than local pw provider
  ],

];

$wgLDAPDomainNames = array("ACMELDAP"); $wgLDAPServerNames = array("ACMELDAP"=>"auth.ACMEcorp.com");

$wgLDAPServerNames = array("ACMELDAP"=>"ldapserver.ACMEcorp.com");

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array("ACMELDAP"=>"ssl"); $wgLDAPEncryptionType = array("ACMELDAP"=>"tls", "ACMELDAP"=>"ssl", "ACMELDAP"=>"clear", );

$wgLDAPEncryptionType = array("ACMELDAP"=>"ssl"); $wgLDAPOptions = array("ACMELDAP" => array( LDAP_OPT_DEREF, 1 )); $wgLDAPPort = array("ACMELDAP"=>636);

$wgLDAPSearchStrings = array("testLDAPdomain"=>"uid=USER-NAME,ou=people,dc=ACME,dc=corp");

$wgLDAPSearchStrings = array("ACMELDAP"=>"uid=USER-NAME,ou=people,dc=ACME,dc=corp"); $wgLDAPSearchAttributes = array("ACMELDAP"=>"uid"); $wgLDAPBaseDNs = array("ACMELDAP"=>"dc=ACME,dc=corp"); $wgLDAPGroupBaseDNs = array("ACMELDAP"=>"ou=group,dc=ACME,dc=corp"); $wgLDAPUserBaseDNs = array("ACMELDAP"=>"ou=people,dc=ACME,dc=corp"); $wgLDAPProxyAgent = array("ACMELDAP" => "cn=readonlyroot,dc=ACME,dc=corp"); $wgLDAPProxyAgentPassword = array("ACMELDAP" => "PASSWD"); $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true;

Techietubby (talkcontribs)

I have double-checked and I have enabled the extra plugin:

#######################

# LDAP Extensions

######################

wfLoadExtensions( [

        'PluggableAuth',

        'Auth_remoteuser',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo'

] );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserAllowUserSwitch = true;

$wgPluggableAuth_EnableLocalLogin = true;

# $wgLDAPProxyAgent = array("LDAP" => "cn=readonlyroot,dc=acme,dc=corp");

$wgLDAPProxyAgentPassword = array("LDAP" => "PASSWD");

# In any case we need to specify LDAP domain configs

$LDAPProviderDomainConfigs = "/var/www/html/mediawiki-1.42.3/ldapprovider.json";

#$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";

## Prevent users from adding accounts

#$wgRevokePermissions['user']['createaccount'] = true;

## Prevent new user registrations except by sysops

$wgGroupPermissions['*']['createaccount'] = false;

## Forces user to login to view Wiki

## # The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

I have tested this but still it doesn't work and I see no LDAP messages in the logs. Do I have to configure Apache in some way?

Reply to "Cannot login with LDAP"